From e7663235ed0a6d80f2f27b34323a96f1f93e0f8557f4eb1dfae1d78d10c2f0d8 Mon Sep 17 00:00:00 2001 From: Miquel Sabate Sola Date: Wed, 10 May 2017 14:04:27 +0000 Subject: [PATCH] Accepting request 494283 from home:cyphar:containers - Add a partial fix for boo#1038493. - Fixed bsc#1037436 where execids were being leaked due to bad error handling. This is a backport of https://github.com/docker/cli/pull/52. + bsc1037436-0001-client-check-tty-before-creating-exec-job.patch OBS-URL: https://build.opensuse.org/request/show/494283 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=184 --- ...t-check-tty-before-creating-exec-job.patch | 69 +++++++++++++++++++ docker.changes | 12 +++- docker.spec | 8 ++- 3 files changed, 86 insertions(+), 3 deletions(-) create mode 100644 bsc1037436-0001-client-check-tty-before-creating-exec-job.patch diff --git a/bsc1037436-0001-client-check-tty-before-creating-exec-job.patch b/bsc1037436-0001-client-check-tty-before-creating-exec-job.patch new file mode 100644 index 0000000..939bd0b --- /dev/null +++ b/bsc1037436-0001-client-check-tty-before-creating-exec-job.patch @@ -0,0 +1,69 @@ +From c117441b1a74affb013a42ee8225d69ecfaf4d72 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Tue, 9 May 2017 23:31:46 +1000 +Subject: [PATCH] client: check tty before creating exec job + +This is necessary in order to avoid execId leaks in the case where a +`docker exec -it` is run without a terminal available for the client. +You can reproduce this issue by running the following command many +times. + + % nohup docker exec -it some_container true + +The container `some_container` will have execIDs that will never +normally be cleaned up (because the client died before they were +started). + +In addition, this patch adds a docker-inspect step to ensure that we +give "container does not exist" errors consistently. + +[SUSE: Fixes bsc#1037436.] + +Signed-off-by: Valentin Rothberg +Signed-off-by: Aleksa Sarai +--- + cli/command/container/exec.go | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) + +diff --git a/cli/command/container/exec.go b/cli/command/container/exec.go +index 676708c77b91..d85113259242 100644 +--- a/cli/command/container/exec.go ++++ b/cli/command/container/exec.go +@@ -79,6 +79,19 @@ func runExec(dockerCli *command.DockerCli, opts *execOptions, container string, + ctx := context.Background() + client := dockerCli.Client() + ++ // We need to check the tty _before_ we do the ContainerExecCreate, because ++ // otherwise if we error out we will leak execIDs on the server (and ++ // there's no easy way to clean those up). But also in order to make "not ++ // exist" errors take precedence we do a dummy inspect first. ++ if _, err := client.ContainerInspect(ctx, container); err != nil { ++ return err ++ } ++ if !execConfig.Detach { ++ if err := dockerCli.In().CheckTty(execConfig.AttachStdin, execConfig.Tty); err != nil { ++ return err ++ } ++ } ++ + response, err := client.ContainerExecCreate(ctx, container, *execConfig) + if err != nil { + return err +@@ -90,12 +103,8 @@ func runExec(dockerCli *command.DockerCli, opts *execOptions, container string, + return nil + } + +- //Temp struct for execStart so that we don't need to transfer all the execConfig +- if !execConfig.Detach { +- if err := dockerCli.In().CheckTty(execConfig.AttachStdin, execConfig.Tty); err != nil { +- return err +- } +- } else { ++ // Temp struct for execStart so that we don't need to transfer all the execConfig. ++ if execConfig.Detach { + execStartCheck := types.ExecStartCheck{ + Detach: execConfig.Detach, + Tty: execConfig.Tty, +-- +2.12.2 + diff --git a/docker.changes b/docker.changes index 5ae879b..d4c97f0 100644 --- a/docker.changes +++ b/docker.changes @@ -1,7 +1,15 @@ +------------------------------------------------------------------- +Wed May 10 13:54:44 UTC 2017 - asarai@suse.com + +- Add a partial fix for boo#1038493. +- Fixed bsc#1037436 where execids were being leaked due to bad error handling. + This is a backport of https://github.com/docker/cli/pull/52. + + bsc1037436-0001-client-check-tty-before-creating-exec-job.patch + ------------------------------------------------------------------- Thu May 4 19:03:40 UTC 2017 - jmassaguerpla@suse.com -- Fix golang requirements in the subpackages +- Fix golang requirements in the subpackages ------------------------------------------------------------------- Mon May 1 07:57:35 UTC 2017 - fcastelli@suse.com @@ -33,7 +41,7 @@ see /usr/share/doc/packages/docker/CHANGELOG.md ------------------------------------------------------------------- Wed Apr 12 09:54:18 UTC 2017 - jmassaguerpla@suse.com -- Make sure this is being built with go 1.7 +- Make sure this is being built with go 1.7 ------------------------------------------------------------------- Wed Apr 12 09:14:35 UTC 2017 - jmassaguerpla@suse.com diff --git a/docker.spec b/docker.spec index 7978c3a..3334881 100644 --- a/docker.spec +++ b/docker.spec @@ -54,6 +54,8 @@ Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patc Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch # PATCH-FIX-UPSTREAM: Backports. Patch300: integration-cli-fix-TestInfoEnsureSucceeds.patch +# PATCH-FIX-UPSTREAM: Backport of https://github.com/docker/cli/pull/52 (bsc#1037436). +Patch400: bsc1037436-0001-client-check-tty-before-creating-exec-job.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -165,6 +167,7 @@ Test package for docker. It contains the source code and the tests. %patch201 -p1 %endif %patch300 -p1 +%patch400 -p1 cp %{SOURCE7} . cp %{SOURCE10} . @@ -186,6 +189,9 @@ BUILDTAGS="seccomp $BUILDTAGS" export AUTO_GOPATH=1 export DOCKER_BUILDTAGS="$BUILDTAGS" export DOCKER_GITCOMMIT=%{git_version} +# Until boo#1038493 is fixed properly we need to do this hack to get the +# compiled-into-the-binary GOROOT. +export GOROOT="$(GOROOT= go env GOROOT)" EOF ) > docker_build_env . ./docker_build_env @@ -255,7 +261,7 @@ PKG_LIST=$(go list -e \ | grep -v 'github.com/docker/docker/pkg/integration$') %else | grep -v 'github.com/docker/docker/pkg/integration$' \ - | grep -v 'github.com/docker/docker/profiles/seccomp$') + | grep -v 'github.com/docker/docker/profiles/seccomp$') %endif go test -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST